Quantum key distribution device, quantum key distribution system, and quantum key distribution method
Abstract
According to an embodiment, a quantum key distribution device includes a sharer, a key distillation processor, a first manager, and a second manager. The sharer is configured to share a photon string with the another quantum key distribution device using quantum key distribution via a quantum distribution channel, and obtain a photon bit string corresponding to the photon string. The key distillation processor is configured to generate a link key from the photon bit string. The first manager is configured to store the link key as a link transmission key. The second manager is configured to store, in a storage, a first application key from an application key to be used in cryptographic data communication, encrypt a second application key from the application key, using the link transmission key, and send the encrypted second application key to another quantum key distribution device via a classical communication channel.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1. A quantum key distribution device that is connected to another quantum key distribution device by a quantum communication channel and a classical communication channel and that shares a cryptographic key with the another quantum key distribution device, the quantum key distribution device comprising:
a quantum key sharer configured to share a photon string with the another quantum key distribution device using quantum key distribution via the quantum distribution channel, and obtain a photon bit string corresponding to the photon string;
a key distillation processor configured to generate a link key as the cryptographic key from the photon bit string by a key distillation process;
a first manager configured to store the link key as a link transmission key to be used in data encryption in an internal or external storage;
a second manager configured to
store, in the storage, a first application key that has a predetermined role decided therefor from an application key that is the cryptographic key to be used in cryptographic data communication,
encrypt a second application key that has a role corresponding to the first application key decided therefor from the application key, using the link transmission key, and
send the encrypted second application key to the another quantum key distribution device via the classical communication channel; and
a key manager configured to manage the first application key that is stored in the storage for use in encryption or decryption when an application performs data communication.
2. A quantum key distribution device that is connected to another quantum key distribution device by a quantum communication channel and a classical communication channel and that shares a cryptographic key with the another quantum key distribution device, the quantum key distribution device comprising:
a quantum key sharer configured to share a photon string with the another quantum key distribution device using quantum key distribution via the quantum distribution channel, and that obtain a photon bit string corresponding to the photon string;
a key distillation processor configured to generate a link key as the cryptographic key from the photon bit string by a key distillation process;
a first manager configured to store the link key as a link reception key to be used in data decryption in an internal or external storage;
a second manager configured to
receive an application key that is the cryptographic key to be used in cryptographic data communication and has a predetermined role decided therefor, from the another quantum key distribution device via the classical communication channel,
decrypt the received application key using the link reception key, and
store the decrypted application key in the storage; and
a key manager configured to manage the application key that is stored in the storage for use in encryption or decryption when an application performs data communication.
3. A quantum key distribution system comprising a first quantum key distribution device and a second quantum key distribution device that are connected by a quantum communication channel and a classical communication channel, a cryptographic key being shared among the first quantum key distribution device and the second quantum key distribution device, wherein
the first quantum key distribution device includes
a first quantum key sharer configured to share a photon string with the second quantum key distribution device using quantum key distribution via the quantum distribution channel, and obtain a photon bit string corresponding to the photon string from the second quantum key distribution device using quantum key distribution via the quantum distribution channel,
a first key distillation processor configured to generate a link key as the cryptographic key from the photon bit string by a key distillation process,
a first link-key manager configured to store the link key as a link transmission key to be used in data encryption in an internal or external first storage,
a first application-key manager configured to
store, in the first storage, a first application key that has a predetermined role decided therefor from an application key that is the cryptographic key to be used in cryptographic data communication,
encrypt a second application key that has a role corresponding to the first application key decided therefor from the application key, using the link transmission key, and
send the encrypted second application key to the second quantum key distribution device via the classical communication channel, and
a first key manager configured to manage the first application key that is stored in the first storage for use in encryption or decryption when an application performs data communication, and
the second quantum key distribution device includes
a second quantum-key sharer configured to share the photon string with the first quantum key distribution device using quantum key distribution via the quantum distribution channel, and obtain a photon bit string corresponding to the photon string from the first quantum key distribution device using quantum key distribution via the quantum distribution channel,
a second key distillation processor configured to generate a link key as the cryptographic key from the photon bit string by a key distillation process,
a second link-key manager configured to store the link key as a link reception key to be used in data decryption in an internal or external second storage,
a second application-key manager configured to decrypt the second application key that is received from the first application-key manager via the classical communication channel, using the link reception key, and store the decrypted second application key in the second storage, and
a second key manager configured to manage the second application key that is stored in the second storage for use in encryption or decryption when an application performs data communication.
4. The system according to claim 3 , wherein
the first key manager manages the link transmission key that is stored in the first storage for use in encryption when an application performs data communication, and
the second key manager manages the link reception key that is stored in the second storage for use in decryption when an application performs data communication.
5. The system according to claim 3 , wherein
the first application-key manager
stores, in the first storage, a first authentication key as an authentication key to be used in data authentication that has a predetermined role decided therefor, and
encrypts a second authentication key that is the authentication key having a role corresponding to the first authentication key decided therefor, using the link transmission key, and
send the encrypted authentication key to the second quantum key distribution device via the classical communication channel,
the first key manager provides the first authentication key that is stored in the first storage to the first data communication function to generate authentication data based on communication data to be subjected to data authentication when a first data communication function communicates the communication data,
the second application-key manager decrypts the second authentication key that is received from the first application-key manager via the classical communication channel, using the link reception key, and stores the decrypted second authentication key in the second storage, and
the second key manager provides the second authentication key that is stored in the second storage to the second data communication function to generate authentication data based on communication data to be subjected to data authentication when a second data communication function communicates the communication data.
6. The system according to claim 5 , wherein
the first application manager
operates as the first data communication function,
generates authentication data from the second application key that is encrypted using the link transmission key and that is to be subjected to data authentication, using the first authentication key provided by the first key manager,
attaches the authentication data to the encrypted second application key, and
sends the second application key to the second quantum key distribution device via the classical communication channel, and
the second application manager
operates as the second data communication function, and
generates authentication data from the encrypted second application key that is received from the first application-key manager via the classical communication channel, using the second authentication key provided by the second key manager.
7. The system according to claim 5 , wherein
the first key distillation processor
operates as the first data communication function, and
generates authentication data from control information to be subjected to data authentication, using the first authentication key provided by the first key manager when the control information is received and transmitted from and to the second key distillation processor via the classical communication channel in a key distillation process,
the second key distillation processor
operates as the second data communication function, and
generates authentication data from the control information using the second authentication key provided by the second key manager when the control information is received and transmitted from and to the first key distillation processor via the classical communication channel in a key distillation process.
8. The system according to claim 7 , wherein the first application-key manager stores, when an algorithm for a key distillation process performed by the first key distillation processor and the second distillation processor is changed, the first authentication key that is the authentication key having a predetermined role corresponding to the changed algorithm decided therefor, in the first storage.
9. The system according to claim 5 , wherein
the first key manager provides the first authentication key that is stored in the first storage to an application serving as the first data communication function to generate authentication data based on the communication data when the application communicates communication data to be subjected to data authentication, and
the second key manager provides the second authentication key that is stored in the second storage to an application serving as the second data communication function to generate authentication data based on the communication data when the application communicates communication data to be subjected to data authentication.
10. The system according to claim 5 , wherein
the first quantum key distribution device further includes a third storage configured to store a first initial key that, before the first authentication key is stored in the first storage by the first application-key manager, is used in place of the first authentication key in a case in which authentication data is generated by the first data communication function, and
the second quantum key distribution device further includes a fourth storage configured to store a second initial key that, before the second authentication key is stored in the second storage by the second application-key manager, is used in place of the second authentication key in a case in which authentication data is generated by the second data communication function.
11. A quantum key communication method implemented in a quantum key communication system that includes a first quantum key distribution device and a second quantum key distribution device which are connected by a quantum communication channel and a classical communication channel and which share a cryptographic key, the method comprising:
obtaining a photon bit string corresponding to a photon string using quantum key distribution via the quantum distribution channel, the photon string being shared among the first quantum key distribution device and the second quantum key distribution device;
generating a link key as the cryptographic key from the photon bit string by a key distillation process;
storing the link key as a link transmission key to be used in data encryption in an internal or external first storage;
storing, in the first storage, a first application key that has a predetermined role decided therefor from an application key that is the cryptographic key to be used in cryptographic data communication;
encrypting a second application key that has a role corresponding to the first application key decided therefor from the application key, using the link transmission key;
sending the encrypted second application key to the second quantum key distribution device via the classical communication channel;
managing the first application key that is stored in the first storage for use in encryption or decryption when an application performs data communication;
obtaining a photon bit string corresponding to the photon string using quantum key distribution via the quantum distribution channel;
generating a link key as the cryptographic key from the photon bit string by a key distillation process;
storing the link key as a link reception key to be used in data decryption in an internal or external second storage;
decrypting the second application key that is received from the first quantum key distribution device via the classical communication channel, using the link reception key;
storing the decrypted second application key in the second storage; and
managing the second application key that is stored in the second storage for use in encryption or decryption when an application performs data communication.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.